These docs are targeted at users that need to configure the rules for non-ASL environments.
Installation of the rules assumes a certain level of comfort with configuring apache. If you are not comfortable with configuring apache, you should contact someone that is, or use our [Atomic Secured Linux] product which does this for you, and does not require you to configure apache.
support@atomicorp.com
The Customer Support Forums are located here (you can post here, but these forums are for the labs and free rules, if you post the customer forums the support team monitors those forums regularly):
Customer Support Forums
And the Custom Support Portal is located here (you can submit bug reports and open cases through the portal):
Customer Support Portal
You will need to request a portal account the first time you access the portal. Support accounts are issued manually by checking the status of a customers account and the process may take some time if the office is closed. In the future, the process will be completely automated when a new sign up occurs.
Atomicorp RPM repository
You can also build modsecurity from source. We do not support source installs of modsecurity or third party builds of modsecurity. To download the source for modsecurity please visit this website:
http://sourceforge.net/projects/mod-security/
Real Time Feed Signup
Once your account is setup, you can download the Real Time rules from here:
Real Time Rules Download
For other users, you can download the Free Delayed/Unsupported feed below. Keep in mind the Delayed feed is released 30 days after the realtime feed (that includes any fixes).
Delayed/Unsupported Feed Download
If you want to try out Atomic Secured Linux (ASL) on a trial basis, please send an email to sales@atomicorp.com and we'll set you up an account!
The Real Time feed also comes with an unsupported rules updater. It works for most systems, but because every system differs we can't know for sure if it will work with your modsecurity setup. If you need support for a rules updater then you are encouraged to upgrade to the full Atomic Secured Linux package which includes a fully intergrated automatic rules updater, rules management tools, SIM, web based GUI, real time malware prevention, the strongest kernel security on the market, FTP and web malware protection, built in vulnerability scanner/auto-fix system and more!
The Delayed Feed is a free version of the Real Time feed and is released on a delayed schedule of at least 30 days. It does not include any support.
Note: Atomic Secured Linux includes the Real Time feed.
If you require additional licenses please log into the AtomiCorp License Manager. You can add additional systems there, you can control your payment methods and you can also sign up to become an affiliate.
You can run the Free/Delayed rules on as many systems as you like.
Note: You are encouraged to use our rpms, any issues involving non-atomicorp builds of mod_security are not supported under rules-only subscriptions.
(RHEL/Centos example with or without Plesk)
These directories must as be created if you use optional rules updater. Create these directories as root and they only need to be accessed by root:
Cpanel users should skip to the notes at the bottom of this page for special additional actions for cpanel systems. All other users should continue with these instructions.
You then need to tell apache to load modsecurity. Depending on your apache configuration, apache should be configured to include configuration files. If you have a setting like this in your apache config:
An example 00_modsecurity file that works with our files is included here:
SecPcreMatchLimit 100000 SecPcreMatchLimitRecursion 100000
You will want to install this file in your modsecurity.d directory, which is located here if you follow the instructions above:
Download the rules to a temporary directory using your favorite download tool. Extract the rules:
Then make sure you have this line are the bottom of 00_modsecurity.conf, if you want to load all the rules:
modsec-clamscan.pl
Setup of this tool is not supported in the rules subscription. You will need to install it on your system and ensure that it is working with your apache setup.
Real time malware upload protection is supported in ASL. So if you need realtime malware upload protection (for web, FTP, or even realtime), then upgrade to ASL which highspeed malware upload protection, full support, automatic and hassle free installation, and also protects against HTTP, SSH and FTP uploads and includes our real-time malware detection and prevention system amongst the many features of ASL.
ASL automatically updates rules.
ASL Lite is a new lightweight rule updater project designed specifically as an atomicorp.com mod_security rule downloader for custom apache environments, control panel software like cpanel and directadmin, or non-apache/mixed web server implementations. ASL Lite supports a guided dialog similar to the standard asl configuration, that allows for the definition of custom commands for restarting web services, location of configuration files, and use via cron.
ASL Lite is available in the Atomic channel:
http://www.atomicorp.com/downloads.html
ASL Lite will ultimately replace the "Rules-Only" subscription, however it is optional now. You do not need it to download the rules, but you are encouraged to use it. It is currently available for RHEL 4/5, CentOS 4/5, and Fedora 6-12. Other operating systems can be added upon request.
To install ASL Lite:
1) Add the atomic repository
If you are using our module and configuration files with cpanel - or you are using ASL with cpanel - then you do not need to follow any of these notes.
These installation notes are reguired for users that choose to use cpanels modsecurity module and configuration files with our rules.
Cpanel includes its own modsecurity configuration files and its own modsecurity module. These should be able to work just with our rules if they are configured correctly according to this page, and if you are using at least version 2.5.11 of modsecurity.
Make sure you have all of the settings on this page to use modsecurity with cpanel correctly, failing to do that will make it impossible for us to support you and modsecurity will not work correctly exposing your system to attack.
A typical cpanel configuration file looks like this:
Loading rules occurs through this file:
/usr/local/apache/conf/modsec2.user.conf
For example, if you want to load all the ASL rules, add this line to the bottom of modsec2.user.conf:
You will have to adjust the path to the specific location you choose for your system. Another option is to use symlinks to create the same directories in different locations. This is a typical cpanel path, but check your system to make sure it is correct:
/usr/local/apache/conf/modsec2.user.conf
Cpanel also does not run apache as a standard user (such as apache) but as the older non-priviliged user "nobody". You will need to ensure then that the work directories that mod_security uses are owned by the user that Cpanel runs apache as. To find this out you can run this command as root:
Here is an easy test to know for sure. On the system where the rules are installed run this command (this assumes you have wget installed):
wget http://localhost/foo.php?foo=http://fakeattacker.com
You should get a 403 error if the rules are loaded, which will look similar to this:
http://YOUR_HOST/foo.php?foo=http://fakeattacker.com
If the rules are properly loaded, you should get a 403 error, if you do not get a 403 error, the rules are not loaded and you need to check your configuration to ensure that you have followed the instructions above correctly.
[edit] About the rules
The gotroot.com rules are written by us - we are the gotroot guys. Same great rules, same team. gotroot.com is our Information Assurance lab and Atomicorp is the product arm of Prometheus Global (the parent company for both). So when you get the gotroot.com rules from atomicorp.com or gotroot.com - you're getting the same rules from the same people that created, write and maintain them. In the future we will be merging the gotroot.com, atomicrocketturtle and atomicorp websites into the atomicorp.com website.Installation of the rules assumes a certain level of comfort with configuring apache. If you are not comfortable with configuring apache, you should contact someone that is, or use our [Atomic Secured Linux] product which does this for you, and does not require you to configure apache.
[edit] Real Time Rule Support
If you have a subscription to the real time rules, you can request email support by sending an email to:support@atomicorp.com
The Customer Support Forums are located here (you can post here, but these forums are for the labs and free rules, if you post the customer forums the support team monitors those forums regularly):
Customer Support Forums
And the Custom Support Portal is located here (you can submit bug reports and open cases through the portal):
Customer Support Portal
You will need to request a portal account the first time you access the portal. Support accounts are issued manually by checking the status of a customers account and the process may take some time if the office is closed. In the future, the process will be completely automated when a new sign up occurs.
[edit] ModSecurity 2.5 download
If you are running ASL - do not manually install modsecurity. ASL will install modsecurity for you, and always use the modsecurity rpms we include with ASL.Atomicorp RPM repository
You can also build modsecurity from source. We do not support source installs of modsecurity or third party builds of modsecurity. To download the source for modsecurity please visit this website:
http://sourceforge.net/projects/mod-security/
[edit] ModSecurity Rules download
If you have not already setup a subscription for the RealTime feed, you can do so here:Real Time Feed Signup
Once your account is setup, you can download the Real Time rules from here:
Real Time Rules Download
For other users, you can download the Free Delayed/Unsupported feed below. Keep in mind the Delayed feed is released 30 days after the realtime feed (that includes any fixes).
Delayed/Unsupported Feed Download
If you want to try out Atomic Secured Linux (ASL) on a trial basis, please send an email to sales@atomicorp.com and we'll set you up an account!
[edit] The differences between the Real Time and Delayed Feeds
The Real Time feed is available via subscription, it includes the latest updates we produce on a daily basis and any fixes. The Real Time feed comes with support to help you with any issues you may experience with the rules, including fixing false positives. When false positives are reported to us we generally get an update out the same day. So no more hassles working with modsecurity if you use the Real Time feed!The Real Time feed also comes with an unsupported rules updater. It works for most systems, but because every system differs we can't know for sure if it will work with your modsecurity setup. If you need support for a rules updater then you are encouraged to upgrade to the full Atomic Secured Linux package which includes a fully intergrated automatic rules updater, rules management tools, SIM, web based GUI, real time malware prevention, the strongest kernel security on the market, FTP and web malware protection, built in vulnerability scanner/auto-fix system and more!
The Delayed Feed is a free version of the Real Time feed and is released on a delayed schedule of at least 30 days. It does not include any support.
Note: Atomic Secured Linux includes the Real Time feed.
[edit] Licenses
The Real Time Atomic ModSecurity Rules are licensed by the server. For each license you can also run the rules on one Development and one QA server.If you require additional licenses please log into the AtomiCorp License Manager. You can add additional systems there, you can control your payment methods and you can also sign up to become an affiliate.
You can run the Free/Delayed rules on as many systems as you like.
[edit] Setting up modsecurity 2.5.x
Assuming you have a modsecurity 2.5.12 rpm (or higher) installed from the atomic archives, you will want to create these directories as root:Note: You are encouraged to use our rpms, any issues involving non-atomicorp builds of mod_security are not supported under rules-only subscriptions.
mkdir /etc/httpd/modsecurity.d mkdir /var/asl mkdir /var/asl/tmp mkdir /var/asl/data mkdir /var/asl/data/msa mkdir /var/asl/data/audit mkdir /var/asl/data/suspiciousThen set the following permissions on these directories as follows below. In this example these directories are set to be owned by "apache" and the group "apache", which is standard on a normal Centos or RHEL system. However some control panels configure apache to run as a different user, such as nobody, or http. Check your system to see what user your system uses. You can use this command to find the user:
ps auxwww | grep httpdThe output will look similiar to this:
(RHEL/Centos example with or without Plesk)
root 26755 0.0 4.3 430752 86432 ? Ss 04:30 0:01 /usr/sbin/httpd apache 26908 0.0 3.7 300564 75076 ? S 04:30 0:00 /usr/sbin/httpd apache 26909 0.1 5.5 495812 112084 ? S 04:30 0:37 /usr/sbin/httpd apache 26910 0.0 5.3 495424 106672 ? S 04:30 0:23 /usr/sbin/httpd apache 26911 0.1 5.7 495892 114368 ? S 04:30 0:57 /usr/sbin/httpd apache 26912 0.1 5.7 496056 114440 ? S 04:30 0:52 /usr/sbin/httpd apache 26913 0.1 5.5 496604 110692 ? S 04:30 0:57 /usr/sbin/httpd apache 26914 0.0 5.7 499324 116236 ? S 04:30 0:16 /usr/sbin/httpd apache 26915 0.2 5.5 493600 112192 ? S 04:30 1:09 /usr/sbin/httpd apache 26916 0.1 6.4 513760 129992 ? S 04:30 0:30 /usr/sbin/httpdIn this example the user in bold is "apache". This is the user you will want to set the directory permissions to (as in the example below):
chown apache.apache /var/asl/data/msa chown apache.apache /var/asl/data/audit chown apache.apache /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*(RHEL/Centos example with Cpanel)
root 20594 86.8 3.1 255148 181232 ? Ss 11:39 0:04 /usr/local/apache/bin/httpd -k restart root 20611 0.0 3.1 255060 179596 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20612 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20613 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20614 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20615 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20616 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restartIn this example from a Centos system running Cpanel the user is "nobody", so you would want to use these commands:
chown nobody.nobody /var/asl/data/msa chown nobody.nobody /var/asl/data/audit chown nobody.nobody /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*
These directories must as be created if you use optional rules updater. Create these directories as root and they only need to be accessed by root:
mkdir /var/asl/updates mkdir /var/asl/rules/ mkdir /var/asl/rules/clamavCreate this file:
touch /etc/asl/whitelistThis file contains a list of IPs you want to exclude from ALL rules. That means those IPs can do anything to your system - so be very very careful about what IPs you add to this list. This is a dangerous thing to do. The format of the file is a single IP, per line.
Cpanel users should skip to the notes at the bottom of this page for special additional actions for cpanel systems. All other users should continue with these instructions.
You then need to tell apache to load modsecurity. Depending on your apache configuration, apache should be configured to include configuration files. If you have a setting like this in your apache config:
Include conf.d/*.confThen you are setup to load external configuration files. If you do not have this setup, its highly recommend you do this. This installation guide is written for this type of configuration. Loading mod_security occurs by including a modsecurity.conf file in that directory. We recommend you name the name 00_modsecurity.conf to ensure it runs first. Its vitally important that modsecurity load before other modules, otherwise attacks can occur before modsecurity scans them and some attacks can be missed.
An example 00_modsecurity file that works with our files is included here:
LoadModule security2_module modules/mod_security2.so LoadModule unique_id_module modules/mod_unique_id.soInstall this file in your conf.d directory. On a standard RHEL or Centos system that directory is located here:Include modsecurity.d/modsecurity_crs_10_config.conf Include modsecurity.d/*asl*.conf
/etc/httpd/conf.d/You then need to create your modsecurity_crs_10_config.conf. Here is an example file that also works with our rules:
SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecServerSignature Apache SecComponentSignature 200911012341 SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogType Concurrent SecAuditLog logs/audit_log SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartialNote: If you are not using our mod_security rpms you will need to add these additional lines to your mod_security configuration:
SecPcreMatchLimit 100000 SecPcreMatchLimitRecursion 100000
You will want to install this file in your modsecurity.d directory, which is located here if you follow the instructions above:
/etc/httpd/modsecurity.dYou are now ready to install the rules.
[edit] Installing the rules
If you configure the rules updater, this process should be taken care of for you. If you choose to do this manually, follow the instructions below.Download the rules to a temporary directory using your favorite download tool. Extract the rules:
tar zxvf /var/asl/updates/modsec-200911012341.tar.gzThen copy the ASL rules into /etc/httpd/modsecurity.d:
cp modsec/* /etc/httpd/modsecurity.d/Finally, load the rules. Make sure you have this line in your
Then make sure you have this line are the bottom of 00_modsecurity.conf, if you want to load all the rules:
Include /full/path/to/your/rules/modsecurity.d/*asl*.confOr if you want to load some of the rules, make sure you specify only those rule files. For example:
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.confNOTE: If you use this file:
05_asl_scanner.confMake sure you have clamd installed and configured correctly to list on a TCP port, or if you use a socket, make sure apache can read/write to this socket or as a last resort, run clamd as root. Using this file will force all web uploads on your system to go thru clamav to look for malware, viruses, etc. If you dont need that, then you can leave this config file out. You will also to setup the scanner script, written in PERL, which you can download here:
modsec-clamscan.pl
Setup of this tool is not supported in the rules subscription. You will need to install it on your system and ensure that it is working with your apache setup.
Real time malware upload protection is supported in ASL. So if you need realtime malware upload protection (for web, FTP, or even realtime), then upgrade to ASL which highspeed malware upload protection, full support, automatic and hassle free installation, and also protects against HTTP, SSH and FTP uploads and includes our real-time malware detection and prevention system amongst the many features of ASL.
[edit] Testing
Before restarting apache we recommend you test your configuration by running apache with the "configtest" command. On a standard system you can do this by calling your apache init file like this:/etc/init.d/httpd configtestIf you get errors, check to see that you don't have some extraneous files installed. You should only have these rule files:
05_asl_exclude.conf 05_asl_user_exclude.conf 10_asl_antimalware.conf 10_asl_rules.conf 20_asl_useragents.conf 30_asl_antispam.conf 40_asl_apache2-rules.conf 50_asl_rootkits.conf 60_asl_recons.conf 99_asl_jitp.conf blacklist.txt domain-blacklist.txt domain-spam-whitelist.conf malware-blacklist.txt referer_spam.txt sql.txt trusted-domains.conf whitelist.txt
[edit] Rule Updater
ASL users: DO NOT USE THIS. YOU DO NOT NEED IT. ASL DOES THIS FOR YOU. INSTALLING ASL-LITE WILL BREAK YOUR SETUP.ASL automatically updates rules.
ASL Lite is a new lightweight rule updater project designed specifically as an atomicorp.com mod_security rule downloader for custom apache environments, control panel software like cpanel and directadmin, or non-apache/mixed web server implementations. ASL Lite supports a guided dialog similar to the standard asl configuration, that allows for the definition of custom commands for restarting web services, location of configuration files, and use via cron.
ASL Lite is available in the Atomic channel:
wget -q -O - http://www.atomicorp.com/installers/atomic |sh
yum install asl-liteYou can also download it from the following page:
http://www.atomicorp.com/downloads.html
ASL Lite will ultimately replace the "Rules-Only" subscription, however it is optional now. You do not need it to download the rules, but you are encouraged to use it. It is currently available for RHEL 4/5, CentOS 4/5, and Fedora 6-12. Other operating systems can be added upon request.
To install ASL Lite:
1) Add the atomic repository
wget -q -O - http://www.atomicorp.com/installers/atomic |sh2) Install asl-lite and its support packages
yum install asl-lite3) Configure ASL lite with your username/password, set path information, configured rules, and restart commands
asl-lite -c4) Update your ruleset:
asl-lite -uASL users: DO NOT USE THIS. YOU DO NOT NEED IT AND WILL BREAK YOUR SETUP. ASL DOES THIS FOR YOUR AUTOMATICALLY.
[edit] Tuning the Rules/Disabling Rules
See the mod_security page for details.[edit] Troubleshoot the Rules
See the Atomicorp WAF Rules Troubleshooting page for details.[edit] Reporting False Positives
See the Reporting False Positives page for details.[edit] Special notes for CPANEL users not using ASL
Cpanel also includes a very minimal configuration for modsecurity and does not include all of the required and optimal settings documented here. Therefore its critical that if you use mod_security with Cpanel you most add these additional settings to experience the full feature set of mod_security.If you are using our module and configuration files with cpanel - or you are using ASL with cpanel - then you do not need to follow any of these notes.
These installation notes are reguired for users that choose to use cpanels modsecurity module and configuration files with our rules.
Cpanel includes its own modsecurity configuration files and its own modsecurity module. These should be able to work just with our rules if they are configured correctly according to this page, and if you are using at least version 2.5.11 of modsecurity.
Make sure you have all of the settings on this page to use modsecurity with cpanel correctly, failing to do that will make it impossible for us to support you and modsecurity will not work correctly exposing your system to attack.
A typical cpanel configuration file looks like this:
LoadFile /opt/xml2/lib/libxml2.so LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.soThis configuration is missing several important and key directives, so you will need to change it to this:SecRuleEngine On # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf # "Add the rules that will do exactly the same as the directives" # SecFilterCheckURLEncoding On # SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_audit.log SecDebugLog logs/modsec_debug_log SecDebugLogLevel 0 SecDefaultAction "phase:2,deny,log,status:406" SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow Include "/usr/local/apache/conf/modsec2.user.conf"
LoadFile /opt/xml2/lib/libxml2.so LoadFile /opt/lua/lib/liblua.so LoadModule security2_module modules/mod_security2.soWe've highlighted the changes in italics. Cpanel users will need to manually verify that the mod_unique_id module is loaded by cpanel's apache.SecRuleEngine On # See http://www.modsecurity.org/documentation/ModSecurity-Migration-Matrix.pdf # "Add the rules that will do exactly the same as the directives" # SecFilterCheckURLEncoding On # SecFilterForceByteRange 0 255 SecRequestBodyAccess On SecResponseBodyAccess On SecResponseBodyMimeType (null) text/html text/plain text/xml SecResponseBodyLimit 2621440 SecServerSignature Apache SecComponentSignature 201001051959 SecUploadDir /var/asl/data/suspicious SecUploadKeepFiles Off SecAuditEngine RelevantOnly SecAuditLogRelevantStatus "^(?:5|4(?!04))" SecAuditLogType Concurrent SecAuditLog logs/modsec_audit.log SecAuditLogParts ABIFHZ SecArgumentSeparator "&" SecCookieFormat 0 SecRequestBodyInMemoryLimit 131072 SecDataDir /var/asl/data/msa SecTmpDir /tmp SecAuditLogStorageDir /var/asl/data/audit SecResponseBodyLimitAction ProcessPartial SecDataDir /var/asl/data/msa SecDefaultAction "phase:2,deny,log,status:406" SecRule REMOTE_ADDR "^127.0.0.1$" nolog,allow Include "/usr/local/apache/conf/modsec2.user.conf"
Loading rules occurs through this file:
/usr/local/apache/conf/modsec2.user.conf
For example, if you want to load all the ASL rules, add this line to the bottom of modsec2.user.conf:
Include /full/path/to/your/rules/modsecurity.d/*asl*.confIf you want to load just some of the rules, make sure you specify only those rule files. For example:
Include /full/path/to/your/rules/modsecurity.d/10_asl_rules.conf Include /full/path/to/your/rules/modsecurity.d/99_asl_jitp.confNOTE: If you use this file:
05_asl_scanner.confMake sure you have clamd installed and configured correctly to list on a TCP port, or if you use a socket, make sure apache can read/write to this socket or as a last resort, run clamd as root. Using this file will forces all web uploads on your system to go thru clamav to look for malware, viruses, etc. If you dont need that, then you can leave this config file out.
You will have to adjust the path to the specific location you choose for your system. Another option is to use symlinks to create the same directories in different locations. This is a typical cpanel path, but check your system to make sure it is correct:
/usr/local/apache/conf/modsec2.user.conf
Cpanel also does not run apache as a standard user (such as apache) but as the older non-priviliged user "nobody". You will need to ensure then that the work directories that mod_security uses are owned by the user that Cpanel runs apache as. To find this out you can run this command as root:
ps auxwww | grep httpd
root 20594 86.8 3.1 255148 181232 ? Ss 11:39 0:04 /usr/local/apache/bin/httpd -k restart root 20611 0.0 3.1 255060 179596 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20612 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20613 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20614 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20615 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restart nobody 20616 0.0 3.1 255148 180224 ? S 11:39 0:00 /usr/local/apache/bin/httpd -k restartIn this example from a Centos system running Cpanel the user is "nobody", so you would want to use these commands:
chown nobody.nobody /var/asl/data/msa chown nobody.nobody /var/asl/data/audit chown nobody.nobody /var/asl/data/suspicious chmod o-rx -R /var/asl/data/* chmod ug+rwx -R /var/asl/data/*
[edit] Testing to see if the rules are loaded
Note: This test assumes you do not have any rules disabled.Here is an easy test to know for sure. On the system where the rules are installed run this command (this assumes you have wget installed):
wget http://localhost/foo.php?foo=http://fakeattacker.com
You should get a 403 error if the rules are loaded, which will look similar to this:
--2010-05-27 20:12:25-- http://localhost/foo.php?foo=http://fakeattacker.com Resolving localhost... 127.0.0.1 Connecting to localhost|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 403 Forbidden 2010-05-27 20:12:25 ERROR 403: Forbidden.If you do not have wget installed, then you will need to install it or a similar tool. You can also use your browser to test the rules by going to this URL:
http://YOUR_HOST/foo.php?foo=http://fakeattacker.com
If the rules are properly loaded, you should get a 403 error, if you do not get a 403 error, the rules are not loaded and you need to check your configuration to ensure that you have followed the instructions above correctly.
References:
- ModSecurity: http://www.modsecurity.org
- How-To Forge: http://www.howtoforge.com/apache_mod_security
- Jason Litka: http://www.jasonlitka.com/2007/08/24/mod-security-packages-now-available/
- My Whiteboard: http://www.my-whiteboard.com/linux-admin/protect-your-web-server-from-security-attacks-using-modsecurity.html
- Atomic: http://www.atomicorp.com/wiki/index.php/Atomic_ModSecurity_Rules
- http://www.baselogic.com/blog/system-administration/apache-mod_security-on-centos-5-x86_64
